FW: [Openswan Users] OpenSwan AH only

[Luis Rodrigues]

Anyway, I've found this on the mailing list, and it's kind of my problem.
Sometimes the draytek Vigor 2600 marks the tunnel as up, and i can't get any
traffic trough the tunnel. The only solution is to shut down the router for
a couple of minutes and turn it on again.

If i use draytek to draytek VPN's, the problem stays the same, unless i use
AH only.

Dear Paul Wouters,

Thanks for your feedback.
We are so glad to hear this good news from you.
Our RD staffs will implement this issue into the released firmware for all
Vigor's routers in future.
As the re-key problem, we will test and fix it before released. 


Best regards,
Sam Hu
FAE Department / Draytek Corp.
DrayTek: for Vigorous Broadband Access


Paul Wouters <paul at xtdnet.nl> wrote:

> On Mon, 23 Aug 2004, DrayTek Support wrote:
> 
> > Dear Paul Wouters,
> >
> > Here is the beta firmware to add multi-tunnels function for Vigor2600G
on the 
> attachment.
> > Please upgrade it and kindly share the result with us.
> > Note, this beta firmware has been authenticated this function only.
> 
> Your beta-firmware image is working flawlessly!
> We now have two tunnels up from the Vigor to an Openswan server and
traffic is 
> flowing
> over both tunnels!
> 
> Will you be also updating the vigor 2500's with this bugfix? Since most of
our
> 
> Vigor models are actually the 2500 (annex A and B) and the 2500Ge models.
> 
> The other problem I reported about the failing rekeying was also found. it
seems 
> that
> the webinterface doesn't always update all the changes you make when there
is 
> a popup
> involved. So we ended up having some weird tunnel that started from the
Openswan 
> end
> using ESP and at rekey time the Vigor wanted to negotiate AH only.
Openswan incorrectly
> 
> marked the ESP tunnel as "up" while it was endlessly failing to rekey over
the 
> ISAKMP
> channel.
> 
> Thanks to Draytek for the great support on this issue!
> 
> Paul

-----Mensagem original-----
De: Paul Wouters [mailto:paul at xelerance.com] 
Enviada: terça-feira, 14 de Setembro de 2004 20:23
Para: Luis Rodrigues
Cc: users at openswan.org
Assunto: Re: [Openswan Users] OpenSwan AH only

On Tue, 14 Sep 2004, Luis Rodrigues wrote:

> I only have one question: Is it possible to use only the AH auth, and no
ESP
> ecrypt?

Yes, you can specify: auth=ah

If using KLIPS, you need to make sure it has been compiled with AH support. 
We recently started shipping the default KLIPS configuration without AH
support.

> Tihs is very important to me, because i would like to use a router as a
> remote VPN site, and it has some problems with ESP.

Obviously the proper way to fix this is to replace that device. You can also
try and tweak its configutation a bit so that its bug doesn't get triggered.
For instance, with Watchguard, you can work around a bug in the ESP MD5
HMAC by only offering SHA1. Something similar might be possible for your
router, so you can keep encrypting your VPN (and not turn it into a Virtual
Public Network).

Paul
ps. netgraf as in BSD's netgraf? I hope that is not the device in question?
:)